to Rob's World!: Like me, you may be the victim of a Spammer.
During the month of November 2002 (the first time it happened to me), someone began forging my domain
name (RobsWorld.org). The spammer forged the From: and Reply-To:
fields of his/her spam messages. The spam in question advertised
adult web sites, and had a subject line which began with the phrase: "Need
a date?" or "Married but lonely?".
I have also been the victim of numerous additional identity forgery incidents since the Nov 2002 episode (Most recently - May of 2008). See below for From:/Reply-To: forgery in general. The same stands true for all these incidents. I didn't do it! I'm not a spammer.
I assure you, and the administrators
of your ISP/domain, that I did not send you any spam email. It
is very likely that the email in question was spam sent by someone
who forged my email address/domain. These messages did not come
from me. Someone else was forging my email address to send their
SPAM. I first learned about this spammer, and the domain forgery,
on the 7th of November 2002. The domain name forgery stopped by
the 21st of November, but the spamming continued using other forged
domain names. If you've received a spam message with my domain
name/email address in the From: or Reply-To: field, I'd appreciate it if you
could forward me the entire message, with the full header intact.
The message content and headers are essential in tracking down
the individual(s) responsible for forging my email address/domain.
I do not want anyone sending SPAM with my name on the message.
See my Feedback
page for contact information.
Why would a spammer
forge header data?: Spammers forge email header data like
the From:, Reply-To: and Return-Path: lines because they do not want to receive
complaints (or have complaints routed to their ISP). They just want your money.
They want to remain anonymous so that they can continue to practice their illegal activities. So they can continue violating the law and stealing the resources and money of innocent victims. Unfortunately email forgery is simple and commonplace. Forgery
of email header data makes it nearly impossible for the average
email recipient to complain about or report spam effectively. If you
can't figure out who really sent you the spam, you can't get them
Unfortunately, many ISPs haven't figured out that spammers forge the header data. Many ISPs still send out automatice replies/bounce messages based on these same header lines. When ISPs respond to the From:, Reply-To: and Return-Path: headers, they make the spam problem worse. What they should do is defer acceptance of the message until the recipient status is verified. If the message cannot be delivered for any reason, they should refuse to accept the message for delivery. Instead they accept the message and then check to see whether it can be delivered.
What I did about
it: As a company/web site administrator, you can't prevent
spammers from forging your email address/domain in the spam that
they send. You can't do it. You can't conceal your email addresses and only reveal
them to trustworthy individuals. Your clients, visitors, and friends
need to be able to contact you. All you can do is react when a
spammer forges your name/domain on a piece of spam.
I did my best to figure out who was forging my domain/email address. I contacted numerous ISP's, web hosts, and system administrators in an effort to find out who was forging my domain/email address. Over the past 5 years or so, I've gotten fairly good at tracking down spammers. I know how to detect header forgery, how to de-obfuscate encoded URL's, and how to track ISP/web host contact information. I used all the skills at my disposal, to track down the guilty party, but in the end, I was unable to determine who was responsible for this forgery and identity theft. Unfortunately, while you may be able to figure out what IP/email service is responsible for sending the spam. The truth is that you will almost never discover the identity of the individual responsible for the spam. They are 'Protected' by privacy laws, and sometimes they have the added protection of a spam-friendly ISP/mail host. The ISP responsible may feign ignorance, ignore the problem, or refuse to help you in any way whatsoever.
I notified my web and mail hosts. I didn't want Rob's World! shut down, because of complaints from people who didn't realize that the spammer was forging my domain/email address.
I put up a lengthy explanation (this page), describing the circumstances surrounding the incident. That way annoyed spam recipients that came to my web site would understand what happened, and that I wasn't responsible for the spam message(s) he/she received.
I collected evidence (printed and electronic copies of complete emails, including all headers) in case it became necessary, to either pursue the spammer through the courts, or convince a skeptic that I didn't send the spam.
I'm not surprised that some unscrupulous spammer forged my email address. Over the years, I've been responsible for shutting down quite a few spammers. I wasn't too surprised when a spammer decided to drag my name through the mud. I tried my best to put an end to the criminal abuse of my internet identity, the various ISP's, and everyone who received the unsolicited commercial email. I currently (when I originally wrote this web page (back in 2002)) have documented evidence of at least fifty two instances where this spammer forged my email address. Since then I've been a victim many more times.
How can you be sure
I wasn't responsible for the spam?: Every email message sent over
the internet, contains information called header data. Some of
that header data can be forged, some of it cannot. Spammers typically
forge a large percentage of their header data. If you receive/have
received an email (allegedly from me), I encourage you to examine
the full headers. Most email clients (Software) have a 'show full
headers' feature/capability. Examine the IP addresses in the header,
you will likely find that much of the data is forged, and you
will also find that the header data does not point back to me,
my ISP, my web host, or my mail server(s). If you are unsure how
to read/interpret the header data, I encourage you to do a little
research. You can start by reading a tutorial on
how to read email header data.
Here's a few more links that may provide additional information regarding email headers. How to read/analyze the header data and the internet standard for header data.
So what should you
do with this spam?: If you've received some of this spammers
email (spam which appears to be sent by me). I'd ask you to do two things. First, send an abuse report
via email, to the ISP that relayed the email to your email server/service.
(Don't send an email to the From:, Reply-To: or Return-Path: address. Don't send an email to the postmaster/abuse address of the From:, Reply-To: or Return-Path: address. Doing so is nearly guaranteed to get no attention, or make matters worse. I guarantee it's not my email server/service (I'm not a spammer). Secondly, send a
copy to me. Please be sure to include the full header. As I stated
earlier; the message content and headers are essential in tracking
down the individual(s) responsible for forging my email address/domain,
and sending the spam.
What should you do
about spam in general?: The simplest thing to do is just delete
it. Replying directly to the forged From:, Reply-To: or Return-Path: address
is ineffective, as either (a) the From: or Reply-To: addresses
are forged, or (b) your email address will be added to a list of 'Working email addresses', which the spammer
can use to optimize his or her operations, or sell to other spammers.
Try to avoid loading spam in an email client which automatically downloads and displays images. Spammers often encode your email address in the URL used to retrieve those images. By examining their web server logs, they can determine if you received the email, and whether you read it. Rendering HTML capable email can also expose you to several different varieties of viruses and trojans (Some HTML rendering engines do not download/display images by default).
For the same reason, don't click on any links in suspected spam. Doing so will only confirm your email address as 'Live prey'!
If you want to do some detective work, look at the domain tools
page, which has a nice collection of online tools for deciphering URLs, tracing website ownership, and researching ISP contact information. But be careful! It's all too easy to point the finger at the wrong person. Spammers try to cover their tracks, and more than one of the email headers will typically be forged.
And obviously, never buy anything from a spammer. You don't really think your credit information is safe with somebody who forges emails for a living, do you?
How do you know I am who I say I am? When
communicating via email, I take several measures to authenticate
and identify myself. These measures can easily be detected in
my email headers (and body), and are extremely difficult to forge. I doubt
any spammer would go through the trouble of trying. If you receive
an email which is allegedly from me, but doubt it's authenticity,
I urge you to forward a copy to me. For information on how to
contact me, please see my Feedback
For more information about spam, and how I feel about it, refer
to my spam offer
The final update (or is it?): The
last known date for this forgery (the forgery of my domain that started back in November of 2002) occurred on 21 November 2002. During
this two week period, I racked up documented evidence, which included
52 unique email addresses which were spammed by this low life. Unfortunately,
I wasn't able to track down the person responsible for this activity.
The ISP's, web hosts, and system administrators that I dealt with
were reluctant, unwilling, or unknowing in their responses, and
the spammer used numerous techniques to hide his/her true identity.
During the investigation, I received a lot of bounce messages, automated
replies, and total silence in response to my inquiries. Maybe next
time I'll catch the criminal.
The war continues: When I originally wrote this back in 2002, I didn't anticipate that there would be more incidents of this kind of attack. Is it intentional? I don't know, the only manner in which spammers communicate to their victims is through spam. Through the collateral damage they inflict, through the injuries they cause. They wouldn't dare reveal themselves directly to their victims. To do so would be brave, and we know that all spammers are cowards. They hide behind compromised servers, they hide behind false identities, they obfuscate the links to their web sites, they deflect criticism and replies with forged From: and Reply-To: addresses. They exist in a criminal state of anonymity. They know that what they do is illegal, and they don't want to go to prison, or lose their ill-gotten loot.
The battle continues... It's a war I tell you, a war! and I won't rest until the last spammers head rests on a pike outside my mail-servers fire-wall! Death to Spammers! (Not-intended as an actual death threat to anyone in particular. I don't know any actual spammers. They're all to cowardly to reveal their true identities.)
From:/Reply-To: forgery in general: I'm not the only one who has had his email address forged in the From:, Reply-To: or Return-Path: address of a spammers message. It happens to thousands of people. It happens all the time. There are basically two types of this forgery:
One is the trivial use of your own address in order to bypass spam filtering efforts. You wouldn't filter against your own email address, would you? This trivial forgery is limited to that spam message. A singular piece of spew directed to you alone. While the spam run itself may consist of hundreds of thousands of messages, each one contains a different From: or Reply-To: address. Result: The spam gets past your filtering mechanisms, and you have to deal with it in a more personal manner.
The other type of forgery. Their are two types of Joe-Jobs.
The first one is the use of your email address in the From:, Reply-To: or Return-Path: field of every email message that the spammer sends. Every spam contains your email address! The spam messages are your typical cut rate viagra, penis enlargers, porno offers, stock tips, cut rate mortgages, etc. Nothing directed specifically at you. The spammer is trying to make money from the millions of suckers out there. The result? A huge flood of non-delivery bounces, remove-me requests, out-of-office, identity verification requests, cease and desist orders, and some threats. If you own a domain (and it's being forged), you could lose your email or web services. You may have to do some serious explaining (evidence this web page) to the administrators of your email or web service(s).
The second type is an intentional attack on your business, domain, or name. It's relatively easy to identify. The content of the spammer's message will directly implicate you, your business or domain, as being responsible for some sort of egregious criminal activity. For example, It might accuse (or implicate) that you are involved in sexual slave trade of pre-pubescent child porn. It might try to imply that you are intentionally sending viruses in an attempt to shut-down american oil refineries. It's a personal attack. The result, a flood of venomous replies, threats, possible police investigation, the loss of your email/web services. I hope it never happens to me!